Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:57
Static task
static1
Behavioral task
behavioral1
Sample
cmlauncher.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
cmlauncher.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
installer.rar
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
installer.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
winrar-x64.exe
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
winrar-x64.exe
Resource
win10v2004-20240226-en
General
-
Target
cmlauncher.zip
-
Size
5.4MB
-
MD5
4bafdeafd9dcfb5fdf156cd7bcf60ed8
-
SHA1
08a4cf8357422a02193293b5f372c6e3e1ba8810
-
SHA256
398ebc3476435e57bdfffbd414a1f19feb68e38cbbded7130bf8c4f5c6036e13
-
SHA512
44df7a2b8c1bf320691030bf1fcab8f553aff35cae93214600b0505170f766270ffea3b637733cfaa1e8e914d6fc8f61c59221b66471d893596aa2fcc2a1b059
-
SSDEEP
98304:PbzXenum2GtQL/zeyTo96Tc0I/UKkulf3u11xsTvIKD1voBhUiVuuxxCTH:PbyumFKzeyToMTW/3Vf3u1/SvtxoUi7O
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
Groove.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote Groove.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" Groove.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" Groove.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel Groove.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" Groove.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar Groove.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt Groove.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" Groove.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" Groove.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Groove.exepid process 2904 Groove.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2260 explorer.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe Token: SeShutdownPrivilege 2260 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
explorer.exepid process 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe 2260 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Groove.exeDW20.EXEdescription pid process target process PID 2904 wrote to memory of 2808 2904 Groove.exe DW20.EXE PID 2904 wrote to memory of 2808 2904 Groove.exe DW20.EXE PID 2904 wrote to memory of 2808 2904 Groove.exe DW20.EXE PID 2904 wrote to memory of 2808 2904 Groove.exe DW20.EXE PID 2904 wrote to memory of 2808 2904 Groove.exe DW20.EXE PID 2904 wrote to memory of 2808 2904 Groove.exe DW20.EXE PID 2904 wrote to memory of 2808 2904 Groove.exe DW20.EXE PID 2808 wrote to memory of 2644 2808 DW20.EXE dwwin.exe PID 2808 wrote to memory of 2644 2808 DW20.EXE dwwin.exe PID 2808 wrote to memory of 2644 2808 DW20.EXE dwwin.exe PID 2808 wrote to memory of 2644 2808 DW20.EXE dwwin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cmlauncher.zip1⤵PID:3036
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe" /TrayOnly /NoLogon1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 13242⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 13243⤵PID:2644
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD541c2568badec1be9dc7a4098d1187287
SHA11c70ad948ae7fcafae9d06b62d133b6a808e03e4
SHA25667309991c886afc03bfe1c6f42938ff12a6842857845dfe1f0f1d94b81329988
SHA512d208b1552cfa7cd387c143a26a93733323bd44a95635de37b23b3897b29c79fc19c095011247ea42c226c994cf63d4c0b9b6c1d5d3590875f4729ff02efa1af3
-
Filesize
560B
MD5c3f15ff330cc09568b3bd64d8cdaae4d
SHA15c279769ec9b93f3c000168f79a148d6ebd9e688
SHA256fab69b5b807e71cab8f7988ac60330e8da22e73c0ba51bb1871507f21d6d9627
SHA512c777a361025c98d7bd5332879163f50e9559f0092da232ce424bd6a9af80e340947d69a9f4b0917b007a9c2be870a0a098d4d5f8dc99323905246f28899b2b51
-
Filesize
128KB
MD514de5c789248bc93a88b982bb49c8f77
SHA126e4dc49fdbeb098adad074ecd9628f69952abd9
SHA256c03f01f1ed30ab38a5dd2650ec0044c94f0dddad8ab37ddcf566c7977b10370e
SHA5126b3aae0e7e0d886b9c065b7fb1502cb977f69c1e484bf331272e8cdd68afd4a5610f226f04b4d333ef4834fa1549caf778b6bf59ae537759c373fa9dfb182d19